DNS analysis

Third-Party Tools

Use these first, as it is completely passive and uses Internet infrastructure instead of your own machine.


Powerful linux based tool used to gather and analyze dns records

Gather All Records for a Domain

This command uses to gather information

dig @ sec542.org -t any
dig @ sec560.org +norecursive    # Turns off recursion
dig @ sec560.org +recursive      # Turns on recursion

Simplified PTR Lookups

Using the -x flag is the same as dig PTR

dig -x

Attempt Full Zone Transfer

Very unlikely to work, most domains should not allow external zone transfers. More likely to happen from the inside though. Always attempt this anyway!

dig @<network dns server> m4lwhere.org -t axfr
dig @<network dns server> AXFR m4lwhere.org


We can use nslookup from a windows host to try and gather information as well.

C:\Users\m4lwhere> nslookup
> server
> set type=AXFR
> ls -d goblins.local


Multi-threaded DNS tool written in python 3

dnsrecon -d m4lwhere.org -n

DNS Brute Forcing

Attempt to enumerate DNS hostnames by guessing subdomains.


Uses gobuster for DNS subdomain, is multi-threaded 😎

gobuster dns -d m4lwhere.org -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

Nmap Script

Lots of switches for this command

nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80

Last updated